Bitdefender researchers have recently identified a new backdoor that targets macOS devices, potentially having a link with notorious ransomware operators BlackBasta and ALPHV/BlackCat. This backdoor, named Trojan.MAC.RustDoor, is written in Rust language, which makes it extremely challenging for security researchers to analyze and detect its malicious code, giving malware authors a significant advantage.
The backdoor impersonates a Visual Studio update and is distributed as FAT binaries with Mach-O files for Intel x86_64 and ARM architectures. It utilizes several file names such as zshrc2, Previewers, VisualStudioUpdater, VisualStudioUpdating, visualstudioupdate, VisualStudioUpdater_Patch, and DO_NOT_RUN_ChromeUpdates. The first samples of the backdoor were discovered in November 2023, with the most recent detection on 2nd February 2024.
The Trojan.MAC.RustDoor backdoor has multiple variants, including Variant 1, Variant 2, and Variant Zero. Despite their differences, most samples share core functionalities. Variant 1, which is a testing version of the backdoor, was first detected on 22nd November 2023. Variant 2, identified on 30th November 2023, is an upgraded version containing a complex JSON configuration and an embedded Apple script for data exfiltration. On the other hand, Variant Zero, discovered on 2nd February 2024, is the least complex variant lacking Apple script and an embedded configuration.
All samples of this backdoor contain the same backdoor functionality, supporting commands such as ps, shell, cd, mkdir, rm, rmdir, sleep, upload, botkill, dialog, taskkill, and download. These commands enable the malware to gather and upload files and collect information about the infected device. Additionally, the output of specific commands is submitted to the Register endpoint of the C2 server to receive a Victim ID.
According to Bitdefender’s findings, the communication between the backdoor and the C2 servers is performed using endpoints such as POST /gateway/register, POST /gateway/report, /gateway/task, and /tasks/upload_file. As of now, the C2 servers are responding with the message “detail”: “Not found.”
Despite its relatively recent discovery, the Trojan.MAC.RustDoor backdoor employs various persistence mechanisms, including lock_in_cron, lock_in_launch, lock_in_dock, and lock_in_rc. These methods ensure that the malware remains active and evades detection by security software.
Lock_in_cron and lock_in_launch involve using cronjobs and LaunchAgents, respectively, to execute the malicious binary. At the same time, lock_in_dock modifies the Dock to add the binary and execute it whenever a new ZSH session is opened. The discovery of these persistence mechanisms highlights the backdoor’s sophistication and the complexity of threats targeting macOS systems.
Given the potentially dire impact of such a backdoor, this is an ongoing area of research to understand the full extent of its capabilities and its potential impact on macOS users. Stay tuned as we continue to track new developments and information related to the Trojan.MAC.RustDoor and its possible connection to well-known ransomware operators.